[PATCH] httprepo: long arguments support (issue2126)

[Steven Brown]

On 21 March 2011 22:54, Laurens Holst <laurens.nospam at grauw.nl> wrote:
> Op 21-03-11 08:30, Dirkjan Ochtman schreef:
>>
>> On Mon, Mar 21, 2011 at 02:39, Matt Mackall<mpm at selenic.com>  wrote:
>>>
>>> Let's try to get more discussion on whether POST is acceptable and
>>> anyone is using POST filtering.
>>
>> AFAICT restricting push access by filtering out POST requests is a
>> fairly common setup.
>
> Yes I do that too, it was the setup described on the wiki. And fairly
> convenient I must say (and properly RESTful :)).
>
> ~Laurens
>

It would still be possible to authenticate on push like this:

RewriteEngine on
RewriteCond %{QUERY_STRING} cmd=unbundle
RewriteRule .* - [E=hg_auth:1]

<Location /hg>
    Order Allow,Deny
    Allow from env=!hg_auth
    AuthType Basic
    AuthName "Mercurial repositories"
    AuthUserFile /home/user/hg/hgusers
    Require valid-user
    Satisfy Any
</Location>

This new configuration will also work for existing servers, without
upgrading Mercurial. So it could be added to the Wiki as soon as this
patch is accepted, and POST filtering could be deprecated.

For existing servers using POST filtering:
- Make a one-time change to the Apache configuration.
- This change can be made at any time, even before upgrading Mercurial.
- If the change is not made before upgrading Mercurial, pushes will
still be authenticated, so there is no security concern. However,
users will be prompted for authentication when using the clone,
incoming, outgoing or pull commands until the configuration is
updated.

This seems quite reasonable to me. What does everyone else think?